Add ability to enable ACME generation of SSL Certs #228
Conversation
misilot
force-pushed
the
acme-update
branch
3 times, most recently
from
b8616b3
to
ebeb813
Compare
With the additons from Islandora-Devops/isle-dc#228 requesting certificates via ACME / Let's Encrypt has changed, and should be easier for users to utilize.
With the additions from Islandora-Devops/isle-dc#228 requesting certificates via ACME / Let's Encrypt has changed, and should be easier for users to utilize.
misilot
force-pushed
the
acme-update
branch
2 times, most recently
from
f5c8979
to
cd9e9f7
Compare
|
I just rebased with the latest changes in development |
|
@misilot I tried to test this on macOS, but I am not sure if I followed the correct steps. I first ran Then I followed your recommended testing steps...
I was able to load up Islandora with xyz.com (not the actual domain), but I got a cert error. When I opened in the cert in macOS keychain app the domain said it was for traefik.me. Though I had to reset my set up to test another PR, so I want to give this another shot and will save the cert to look at it more closely. In the meantime how does my workflow look so far? Can this only be tested on an actual server or can I build "make custom" on my macOS machine to try to test this? Also, I tried using a ".com" domain that I actually already own, but not sure if that really matters to let's encrypt. |
|
@ysuarez the domain needs to resolve to a public IP Address and have appropriate firewall ports open. Since the default way acme works is it tries and access a file on the webserver (Traefik) over HTTP, and once it verifies that you are in control of the site it will than generate the SSL certificate for you. |
|
@misilot thanks for explaining how acme works. I was reading up on how "Let's Encrypt" & acme works, but some things were still not clear and at it seemed too easy to abuse. (Though I assumed I was wrong in that impression.) Now it makes a lot more sense that acme being able to connect from outside to verify the domain resolves to a public IP is the key check to proceed with creating the corresponding cert. Regretfully at this time I am not able to have the set up needed to test this PR. I was hoping I could help review this PR, AND also learn more about Let's Encrypt. At least I learned a lot thanks to you. Hopefully someone else could test it so this PR gets approved, since it would be a great improvement. |
|
Rebased with latest merge |
If the user enables USE_ACME, Traefik will attempt to acquire an SSL Certificate for ${DOMAIN}
Added the following variables with the defaults
USE_ACME=false
ACME_EMAIL-your-email
ACME_SERVER=https://acme-v02.api.letsencrypt.org/director
TRAEFIK_LOG_LEVEL=ERROR
There was a problem hiding this comment.
Passed with some modifications because of a known issue with isle-dc. Commented [here](Best Chainsaw) for modifications. I registered a domain name @ Google Domains and spun up a Linode Ubuntu 20.10 server. The screenshots show the cert results and declared it as valid.
Thanks for testing! Just curious what modifications did you have to make? |
|
Look here. The 2 lines following There was nothing wrong with this PR, it's a known issue with isle-dc currently. |
|
Thanks @DonRichards! |
With the additions from Islandora-Devops/isle-dc#228 requesting certificates via ACME / Let's Encrypt has changed, and should be easier for users to utilize.
With the additions from Islandora-Devops/isle-dc#228 requesting certificates via ACME / Let's Encrypt has changed, and should be easier for users to utilize.
If the user sets
ACME_SERVICE=true, Traefik will attempt to acquire an SSL Certificate for ${DOMAIN}Added the following variables with the defaults:
The last 2 variables, I did not add to
sample.env, do they need to be?To test this:
DOMAIN=customdomain.commake -B docker-compose.ymlmake upordocker-compose up -dCorresponding documentation update: Islandora/documentation/pull/2051